Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS #534

Open
joseph-hannon opened this issue Apr 4, 2019 · 2 comments · Fixed by #1675 or bee-san/CyberFork#43
Open

Feature request: Support LZNT1 (de)compression used in Windows' RtlDecompressBuffer and NTFS #534

joseph-hannon opened this issue Apr 4, 2019 · 2 comments · Fixed by #1675 or bee-san/CyberFork#43
Labels
help wanted operation

Comments

@joseph-hannon
Copy link

Summary

On Windows malware will often compress embedded shellcode/payloads and then use RtlDecompressBuffer to decompress it, with LZNT1 decompression. NTFS also uses this compression method. Here is an example of a pure Python implementation.
@notdeclan
Copy link

Agreed this would be nice

@0xThiebaut 0xThiebaut mentioned this issue Dec 25, 2023
Merged
bee-san pushed a commit to bee-san/CyberFork that referenced this issue Dec 27, 2023
Add support for LZNT1 decompression
cc86650 
Introduces support for LZNT1 decompression, commonly leveraged by malware through RtlDecompressBuffer (closes gchq#534).

The decompression logic is ported from go-ntfs, the test data is similar to malduck's.

from: gchq#1675
@bee-san bee-san mentioned this issue Dec 27, 2023
Merged
@Ana06 Ana06 mentioned this issue Jan 30, 2024
Merged
@a3957273
Copy link
Member

a3957273 commented Feb 3, 2024

Reopening as #1675 only handles decompression, whereas this ticket also requests compression.

@a3957273 a3957273 reopened this Feb 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted operation
Projects
None yet
Milestone
No milestone
4 participants
@joseph-hannon @n1474335 @notdeclan @a3957273